The Relational Security Assessment Model

I have found over the years that organizations often have a difficult time performing good quantitative or qualitative assessments. Many times, consulting agencies are brought in to perform the assessment process, but the results are overly complex and still not of great use to the average organization. Numerous organizations have stopped performing risk analysis altogether because of these issues. It was with these problems in mind that the Relational Security Assessment Model was created.

What Is the Relational Security Assessment Model?

The Relational Security Assessment Model is a Patent Pending method for performing a risk assessment that combines aspects of both the qualitative and quantitative approaches. The full assessment model as been integrated products like the Relational Security Audit Manager (RSAM) application, which is used by organizations to help automate the security assessment process. Here, however, we will cover a simpler version that removes some of the complexity. Using this relational model, we will define a series of meaningful values and assign those values to different objects. Based on these risks, we will then go a step further and develop a policy dictating how to handle objects of specific risk values. (to see more on the full Relational Security Assessment Model, visit www.relationalsecurity.com).

The Relational Security Assessment Model will break down the assessment process into simple and consistent steps. Within a small organization, this process can be performed without a great deal of effort. Within mid-sized and large organizations, it is recommended to use automated tools like RSAM or to develop your own mechanism for collecting and cross-evaluating the various details we will be discussing here.

Basic Rules for any Risk Assessment

There are a couple of common stumbling blocks I often see when risks and threats are being considered within an organization. The following guidelines are important to keep in mind whenever dealing with such evaluations:

Use a Reasonable Worst-Case Scenario

When considering risks for any particular object, the tendency is to only look at direct damages that could be inflicted and not consider other potential elements. Even though a particular server could be rebuilt in a matter of hours, it would be reasonable to assume it would take a full day given a bad series of circumstances. Consider also that a particular WAN link could go unused about 90% of the time, but it is feasible that disaster could strike during the time at which it is most needed. Taking a reasonable worst-case scenario is the best approach when looking at object risk. If all systems and devices are evaluated based on this worst-case scenario, it will be much easier to compare, contrast, and not be caught off-guard when disaster strikes.

Avoid Tunnel Vision

When performing a risk assessment, it is best to follow formal processes that lead to consistent results. It is also important, however, to stay alert and use common sense. There is no formula in existence that can catch every vulnerability, or fit perfectly in every situation. By keeping our eyes and minds open, we will notice a great deal more about the security of our environment than if we strictly follow the process.

Exclude Existing Security Measures

The process of determining risks and threats is used to determine the proper security controls that should be applied. As such, it is important not to weigh any existing security controls when considering their factors. The goal is to consider risks based on the function of an object and not include any current measures that mitigate such risks. A system on an uninterruptible power supply has the same downtime risk as a system without any power protection.

Use a Consistent Scale with Common Criteria

When considering risks within an environment, it is important to use a constant scale with similar criteria. Risk evaluations often tend to be inaccurate because organizations apply inconsistent rankings based on circumstances surrounding each object. Security rankings must, however, be related by some common criteria through which we base our overall evaluation.

In talking to the directors of Human Resources and Finance, we will see that both view their systems as absolutely critical. It is obvious to us, however, that one system is more important to the company than the other. The process of determining how critical an object is must be based on objective facts. Throughout the entire risk assessment process, we must use constant factors that can be compared with each other, and that are universally applicable.

Here we can more accurately determine which of the servers is of greater risk to the entire organization. Of course, we will weigh many different factors and ask a variety of risk-related questions. To make the evaluation process as effective as possible, we should try to make our considerations as universally applicable as possible and ask the same types of questions for everything. This will be discussed in the section titled Risk Factors.